Hello!

I'm designing a new topology to access to the Internet using Cisco2921 NAT and MS ISA Firewall. In brief my topology looks like this. 

I'm going to use ISA as a proxy to public some internal services and to provide

internet access for my users. ISA won’t use NAT. It will route traffic. Cisco 2921 will handle NAT, ISP Failover and IPSec VPN to datacenters.

Cisco 3750 will route outbound internal traffic.

My routing for internal users on Cisco 3750 will look like this:

10.10.200.0 255.255.255.0 192.168.200.1 (outbound traffic to datacenter goes directly to Cisco 2921)

0.0.0.0 0.0.0.0 192.168.201.1. (other outbound traffic goes to ISA server then to Cisco2921)

My question is about route from Cisco 2921 to my local network 192.168.0.0/22.

Can I write it like this?

192.168.0.0 255.255.252.0 192.168.200.2 (traffic goes directly to Cisco 3750)

Traffic will flow like this

If I use this route, I'll restrict my traffic from datacenter to go through ISA server BUT all responses from the Internet will go directly to 3750 too.

I doubt about security and functionality of such solution. Or it is good enough?

Of course I will public my internal resources to internet that way. It is on Cisco 2921

ip nat inside source static tcp 172.16.0.2 80 (my external IP) 80

I could use PBR to divide my traffic from datacenter and other traffic, but I don't know how to use PBR with IPSec VPN traffic.

Could you advice how to make it better way?

Thank you very much!